Home Debian Flatpak Update Fails After Upgrading Curl To 8.10 In Debian 12 | How To Fix It

Flatpak Update Fails After Upgrading Curl To 8.10 In Debian 12 | How To Fix It

The Potential Consequences of Installing Core System Libraries from Debian Backports Repository

By sk
654 views

Today, I learned a valuable lesson about the potential consequences of installing core system libraries from backports repositories in Debian Linux. While backports can be useful for getting the latest features and updates, they can also introduce unexpected issues, especially when it comes to core system libraries. The flatpak update failed after upgrading Curl to 8.10 from Backports in my Debian 12 system. Let me share what happened, why it happened, how to solve it, and what you can learn from my experience.

The Issue: Flatpak Update Error

Recently, I tried to update my Flatpak applications using the flatpak update command. Instead of a smooth update, I encountered the following error:

Updating 1/23…                        0%  0 bytes/s**  
OSTree:ERROR:src/libostree/ostree-fetcher-curl.c:526:sock_cb: code should not be reached
Bail out! OSTree:ERROR:src/libostree/ostree-fetcher-curl.c:526:sock_cb: code should not be reached
Aborted (core dumped)

After some digging, I discovered that the problem was caused by a package called libcurl3-gnutls, which I had installed from the Debian Backports repository.

What Went Wrong?

In simple terms, libcurl3-gnutls is a core system library that helps your system communicate with the internet.

When you install a package from the backports repository, you're essentially getting a newer version of that package than what's available in the stable Debian release. While this can be useful for getting the latest features, it can also cause compatibility issues, especially with core system libraries.

In my case, the newer version of libcurl3-gnutls from the backports repository was causing the flatpak update command to crash.

Some users have already reported this issue. The Debian developer Simon McVittie described this issue in this link as follows:

[...]
You did already install a core system library (libcurl3-gnutls) from
a repository other than stable (bookworm-backports), and that's what
triggered this. If you can downgrade libcurl3-gnutls back to the version
from stable, that should avoid this issue.

Updating core system libraries like libcurl has a risk of regressions
associated with it - that's why we have stable releases! - and that
risk doesn't go away just because the package has been made available
in bookworm-backports.
[...]

Until a few days ago, I didn't know that I shouldn't install core system libraries from backports. So I downgraded the problematic package as the developer suggested.

How to Fix It

Fortunately, the fix is straightforward. You just need to downgrade the libcurl3-gnutls package to the version that comes with the stable Debian release. Let us see how to do it:

Step 1: List Available Versions

First, you need to see which versions of libcurl3-gnutls are available on your system. You can do this by running:

apt-cache policy libcurl3-gnutls

Sample Output from my Debian 12 system:

libcurl3-gnutls:  
 Installed: 8.10.1-1~bpo12+1
 Candidate: 8.10.1-1~bpo12+1
 Version table:
*** 8.10.1-1~bpo12+1 100
       100 /var/lib/dpkg/status
    7.88.1-10+deb12u7 500
       500 http://deb.debian.org/debian bookworm/main amd64 Packages
    7.88.1-10+deb12u5 500
       500 http://deb.debian.org/debian-security bookworm-security/main amd64 Packages

As you see in the output above, the installed version is 8.10.1-1~bpo12+1, which is from the backports repository. "bpo" in the package name indicates that it is from backports. The stable version is 7.88.1-10+deb12u7.

Step 2: Downgrade the Package

To downgrade libcurl3-gnutls to the stable version, run:

sudo apt install libcurl3-gnutls=7.88.1-10+deb12u7

You'll see a confirmation prompt asking if you want to continue. Type y and press Enter.

Reading package lists... Done  
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
 libnghttp3-9 libngtcp2-16 libngtcp2-crypto-gnutls8
Use 'sudo apt autoremove' to remove them.
The following packages will be DOWNGRADED:
 libcurl3-gnutls
0 upgraded, 0 newly installed, 1 downgraded, 0 to remove and 0 not upgraded.
Need to get 385 kB of archives.
After this operation, 100 kB disk space will be freed.
Do you want to continue? [Y/n] y
Get:1 http://deb.debian.org/debian bookworm/main amd64 libcurl3-gnutls amd64 7.88.1-10+deb12u7 [385 kB]
Fetched 385 kB in 1s (727 kB/s)          
dpkg: warning: downgrading libcurl3-gnutls:amd64 from 8.10.1-1~bpo12+1 to 7.88.1-10+deb12u7
(Reading database ... 187778 files and directories currently installed.)
Preparing to unpack .../libcurl3-gnutls_7.88.1-10+deb12u7_amd64.deb ...
Unpacking libcurl3-gnutls:amd64 (7.88.1-10+deb12u7) over (8.10.1-1~bpo12+1) ...
Setting up libcurl3-gnutls:amd64 (7.88.1-10+deb12u7) ...
Processing triggers for libc-bin (2.36-9+deb12u8) ...

Now the package is downgraded to version 7.88.1-10+deb12u7.

Step 3: Verify the Downgrade

After the downgrade is complete, you can verify that the package has been downgraded by running:

apt-cache policy libcurl3-gnutls

You should see that the installed version is now the stable version, 7.88.1-10+deb12u7.

Step 4: Update Flatpak Applications

Finally, try running the flatpak update command again. This time, it should work without any errors:
![[Update Flatpak Applications.png]]

Root Cause of the flatpak update Issue

If you've recently upgraded curl to version 8.10.0 from backports or compiled from the source, you will get the same error when trying to update your Flatpak applications.

I thought replacing the backports version of Curl with the stable version will fix this issue, but it didn't. I had to downgrade the libcurl3-gnutls package to fix it.

The root cause of the flatpak update failure was an incompatibility between a newer version of the curl library (8.10.0) and the libostree library used by flatpak.

  • As mentioned in this bug report, a Debian user reported that after upgrading curl to version 8.10.0, flatpak update began failing with an error message indicating code in the ostree-fetcher-curl.c file should not be reached.
  • This was traced back to a commit in the libcurl library that changed how sockets are handled.
  • The issue was particularly pronounced for users who had installed libcurl3-gnutls from the bookworm-backports repository, as this provided a newer version of libcurl than the stable Debian release.
  • Downgrading libcurl3-gnutls to the stable version was confirmed as a workaround.
  • The maintainer of the ostree package in Debian applied patches from the upstream project to address the incompatibility with curl 8.10.x.
  • The fixed version of ostree was initially released in the unstable and testing Debian branches and later made available in the stable branch through the bookworm-proposed-updates repository.

Therefore, the flatpak update failures stemmed from a change in libcurl that affected libostree's functionality. This was resolved by applying patches to libostree to restore compatibility with the newer curl library.

So, If the flatpak update command fails after upgrading to Curl 8.10.0, simply downgrade the libcurl3-gnutls back to the version from stable repository as described above.

Potential Consequences of Installing Core System Libraries from Backports Repository

  • Regressions: Upgrading core system libraries like libcurl from backports carries a risk of regressions. Regressions are unintended consequences of software updates, causing existing functionalities to break or perform worse. This is why stable releases exist, to minimize such risks.
  • Compatibility issues: Installing a newer version of a core library from backports can lead to compatibility issues with other software that relies on the older version. This is because the updated library might have changes that are incompatible with the software designed for the previous version.
  • Dependency Conflicts: Backported libraries may have dependencies on newer versions of other libraries that are not available in the stable release. This can create dependency conflicts and prevent the proper functioning of the system.

Lessons Learned

1. Stick to Stable for Core Libraries

When it comes to core system libraries, it's generally safer to stick with the versions provided by the stable Debian release. These versions have been thoroughly tested and are less likely to cause compatibility issues.

2. Use Backports Wisely

While backports can be useful for getting the latest features, they should be used with caution. Only install packages from backports if you understand the potential risks and are prepared to deal with any issues that arise.

3. Know How to Downgrade

If you do encounter issues after installing a package from backports, knowing how to downgrade to a stable version can save you a lot of time and frustration.

Conclusion

Installing core system libraries from backports can introduce unexpected issues, as I learned the hard way. By sticking to stable versions and understanding the potential risks, you can avoid these problems and keep your system running smoothly. Remember, sometimes the latest isn't always the greatest, especially when it comes to core system components.

I am not saying Backports is not recommended. Just avoid installing system core libraries from backports. You can use it to install other apps.

You May Also Like

Leave a Comment

* By using this form you agree with the storage and handling of your data by this website.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

This website uses cookies to improve your experience. By using this site, we will assume that you're OK with it. Accept Read More